Welcome to the Consumerist Archives

Thanks for visiting Consumerist.com. As of October 2017, Consumerist is no longer producing new content, but feel free to browse through our archives. Here you can find 12 years worth of articles on everything from how to avoid dodgy scams to writing an effective complaint letter. Check out some of our greatest hits below, explore the categories listed on the left-hand side of the page, or head to CR.org for ratings, reviews, and consumer news.

It’s a bad news Monday for up to 950 million — yes, that’s almost 1 billion — Android device owners worldwide. A vulnerability that would let a hacker take over your phone remotely has been announced, and it’s a doozy.

The damage travels by text, Forbes reports, and takes advantage of a weakness in a piece of code called Stagefright.

Stagefright is a tool Android uses to play back media — any text you get that’s an MMS (as opposed to an SMS) is played back to you using Stagefright. Any app that can read your text messages sits on top of that code, from Google Hangouts to your pre-installed default “Messaging” program.

Joshua Drake, the security researcher who discovered the flaw, told Forbes that the only thing a hacker would need to send out exploitations would be phone numbers. Attackers could then send messages to those numbers with bad code packaged in that would allow them to access the receiving device and steal data.

The level of access attackers would gain would allow access to files stored on SD cards as well as on the phone memory. Attackers could also turn your phone into a bug, remotely recording audio and video without your knowledge. Bluetooth access is also hackable via Stagefright. All versions of Android from 2.2 and up are considered vulnerable.

If that sounds terrifying, well, it kind of is. And then it gets worse. The exploit isn’t like a virus-laden e-mail attachment; you don’t actually have to try to view the media in order to be affected. Merely looking at the message in some apps is enough.

And then there are the apps where you don’t even have to open the message: for folks who use Google Hangouts to read their texts, Hangouts would open and access the exploit code “immediately before you even look at your phone… before you even get the notification,” Drake told Forbes, adding that it’s possible then to delete the message before the user even receives an alert, making the attack completely silent.

The good news is, after Drake reported his findings, Google has verified and corrected seven security holes. But here’s the bad news: Google doesn’t update Android phones directly. Service providers do. So Verizon, Sprint, T-Mobile, AT&T, and other, smaller carriers all have to push patches to their own Android customers… and they are not known for doing so quickly.

Drake will be speaking about his process for discovering vulnerabilities in Android at the Black Hat InfoSec conference in Las Vegas next week.